Menu
I'm trying to create a pie chart visualization that will display the top 10 incoming requests. I have a search query that filters only the incoming requests which have a field called messages which looks like the following: "Incoming request /api/someaction". How do I do the aggregation based on the /api/someaction part rather on the entire string (because then "Incoming" is counted as a term".
Or...can I create custom field which are, for example, a substring of another field?
Thanks
866
As mentioned earlier in the comment, I've come up with a solution to my problem. For me, I had values like foo bar baz and I needed to extract the first word. I was able to do this using the "Advanced → JSON" field, using the following script:
{
"script": "( _value.indexOf(' ') > 0 ? _value.substring(0, _value.indexOf(' ')) : _value )"
}
So, in the Kibana interface this looks like this:
So, in your case, the script should probably be something like:
{
"script": "( _value.indexOf(' ') > 0 ? _value.substring(_value.lastIndexOf(' ')) : _value )"
}
Obviously, this assumes that the part of the message you want to extract follows the last space in the string. I've written a throwaway Java class to test the above:
public class Foo {
public static void main(String[] args){
String tester = "Incoming request /api/someaction";
String result = tester.substring(tester.lastIndexOf(" "));
System.out.println(result);
}
}
As far as I can tell, you can use any Java code in the "script" key of the JSON field. So you should also be able to use regexes using String.replaceAll or any other String method for that matter...
I haven't tested this though. If someone has any information on this, feel free to leave a comment.
128
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
